Unlocking the Power of the Organizational Context: The Devil is in the Details


Unlocking the Power of the Organizational Context: The Devil is in the Details

By Dan Ramaswami, Vice President of Field Engineering

From a security perspective, we have done a very good job of creating large data repositories that accept massive volumes of disparate information. But the problem is that we only rely on these repositories after the signal itself has been created. So, before it can be determined whether an alert is of interest or not, relevant data from these repositories must be applied to the signal for context.

To gain context, we “switch” between context tools and signaling technologies such as our firewall log, intrusion prevention system (IPS), endpoint detection and response system ( EDR) and context sources such as Active Directory and the Configuration Management database. (CMDB) to reconstruct the who, what and where of an alert. Or we wait for the data to come into the SIEM so we can send a request that can take hours to process. The volume of alerts is so high and the task of determining what matters is so onerous and time consuming that teams are becoming unresponsive to alerts and now 70% of SOC teams report that they are emotionally overwhelmed by their threat alert management work. The challenge is only getting worse as organizations rely on an increasingly diverse set of tools to secure their atomized networks.

At Netography, we believe that when the devil is in the details, literally, the organizational context should be part of the signal flow, so alerts really are alerts, not just information. Instead of waiting for post-signal to apply context, we enrich cloud and on-premises network streams and metadata with organizational context at the time of ingestion. We use three broad categories of organizational context:

  1. User information which may include username, department they are in, who they report to, if they are an employee or contractor, a phone number and office details at residence.
  2. Host Information which includes hardware, operating system, installed applications and services, patch levels, BIOS levels, etc.
  3. Location Information which, in addition to a physical address, may include aspects such as the location of a specific campus – the data center, financial department or conference room, etc. – and what security controls, if any, are in place between these physical locations and the destination of any traffic.

We work with clients to examine all facets of each category and define those important contextual data points to connect detailed user, host, and location information. We sort the wheat from the chaff using powerful context tags that we apply to traffic, and include relevant data points in the signal stream as the event occurs. There is no need to go from point to point to collect data or perform additional searches and wait for queries to run.

With organizational context upfront, customers are able to make business-relevant detection and response decisions with greater efficiency, ease, and speed. Instead of an alert being just that IP address spoken to that IP address, we break it down further. For instance:

  • A printer addresses a country of great concern, such as ‘The People’s Republic of Well, It’s Not Kentucky’. It is a problem.
  • Or an IP phone talks to a specific container in the cloud that calculates sales tax, which is probably not good. This indicates that the phone could be used as a starting point and is now used in lateral movements.
  • Or to take it a step further, if there’s a laptop in the finance department doing something it shouldn’t be doing, it matters. But if that finance department laptop also has access to the SWIFT network and banking applications, then that alert becomes much more important to the business.

Customers receive true, high-fidelity, actionable alerts worthy of a result, whether it’s changing a firewall rule to block communication between a database server in your cloud backend and an IP address in “Not-here-istan” or to quarantine a laptop immediately in case of a “Nuclear Level” security event.

These scenarios are designed in a wild way to really show that when alerts are based on an understanding of the operating environment, leveraging organization-specific context, we instantly know something potentially bad is happening and we can act more quickly to detect and remedy it. And that’s the point. Instead of alerts that require more work to know whether to care, Netography unleashes the power of organizational context to deliver important alerts.

The post Unleashing the Power of Organizational Context: The Devil is in the Details appeared first on Netography.

*** This is a syndicated blog from Netography’s Security Bloggers Network written by Dan Ramaswami. Read the original post at: https://netography.com/unlocking-the-power-of-organizational-context/


About Author

Comments are closed.